Merge branch 'issue_15394' into 'master'

Sanitize milestones and labels titles

fixes #15394 

See merge request !4046

CHANGELOG

@@ -21,6 +21,7 @@ v 8.8.0 (unreleased)
   - Update SVG sanitizer to conform to SVG 1.1
   - Updated search UI
   - Display informative message when new milestone is created
+  - Sanitize milestones and labels titles
   - Allow "NEWS" and "CHANGES" as alternative names for CHANGELOG. !3768 (Connor Shea)
   - Added button to toggle whitespaces changes on diff view
   - Backport GitHub Enterprise import support from EE

app/models/label.rb

@@ -117,6 +117,10 @@ class Label < ActiveRecord::Base
     LabelsHelper::text_color_for_bg(self.color)
   end
 
+  def title=(value)
+    write_attribute(:title, Sanitize.clean(value.to_s)) if value.present?
+  end
+
   private
 
   def label_format_reference(format = :id)

app/models/milestone.rb

@@ -129,6 +129,10 @@ class Milestone < ActiveRecord::Base
     nil
   end
 
+  def title=(value)
+    write_attribute(:title, Sanitize.clean(value.to_s)) if value.present?
+  end
+
   # Sorts the issues for the given IDs.
   #
   # This method runs a single SQL query using a CASE statement to update the

spec/lib/banzai/filter/milestone_reference_filter_spec.rb

@@ -43,7 +43,7 @@ describe Banzai::Filter::MilestoneReferenceFilter, lib: true do
       milestone.update_attribute(:title, %{"></a>whatever<a title="})
 
       doc = reference_filter("milestone #{reference}")
-      expect(doc.text).to eq "milestone #{milestone.title}"
+      expect(doc.text).to eq "milestone \">whatever"
     end
 
     it 'includes default classes' do

spec/models/label_spec.rb

@@ -55,6 +55,14 @@ describe Label, models: true do
     end
   end
 
+  describe "#title" do
+    let(:label) { create(:label, title: "<b>test</b>") }
+
+    it "sanitizes title" do
+      expect(label.title).to eq("test")
+    end
+  end
+
   describe '#to_reference' do
     context 'using id' do
       it 'returns a String reference to the object' do

spec/models/milestone_spec.rb

@@ -34,6 +34,14 @@ describe Milestone, models: true do
   let(:issue) { create(:issue) }
   let(:user) { create(:user) }
 
+  describe "#title" do
+    let(:milestone) { create(:milestone, title: "<b>test</b>") }
+
+    it "sanitizes title" do
+      expect(milestone.title).to eq("test")
+    end
+  end
+
   describe "unique milestone title per project" do
     it "shouldn't accept the same title in a project twice" do
       new_milestone = Milestone.new(project: milestone.project, title: milestone.title)